From owner-freebsd-current Wed Sep 5 17:59:46 2001 Delivered-To: freebsd-current@freebsd.org Received: from mail6.mn.rr.com (fe6.rdc-kc.rr.com [24.94.163.53]) by hub.freebsd.org (Postfix) with ESMTP id 691E737B403 for ; Wed, 5 Sep 2001 17:59:40 -0700 (PDT) Received: from morpheus.mn.rr.com ([65.25.196.137]) by mail6.mn.rr.com with Microsoft SMTPSVC(5.5.1877.537.53); Wed, 5 Sep 2001 19:59:39 -0500 Received: by morpheus.mn.rr.com (Postfix, from userid 1001) id 726523451C; Wed, 5 Sep 2001 19:56:44 -0500 (CDT) Date: Wed, 5 Sep 2001 19:56:44 -0500 From: Damieon Stark To: current@freebsd.org Subject: new /etc/security mod Message-ID: <20010905195644.B31426@morpheus.telemere.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="V88s5gaDVPzZ0KCq" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --V88s5gaDVPzZ0KCq Content-Type: multipart/mixed; boundary="98e8jtXdkpgskNou" Content-Disposition: inline --98e8jtXdkpgskNou Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Greetings all, I have had a small modification to /etc/security floating around in my tree for a little while, and thought it would be best to submit it. The modifications allow the /etc/security script to keep daily track of changes= to all non char/block special files in /dev. Many nefarious activities tend t= o=20 occur in /dev due to the often cryptic file names, and the level of=20 understanding of the average administrator. I have seen boxen which have large files in /dev due to sniffer/keylogger activities. A daily database = is created in /var/log similar to /var/log/setuid.today and=20 /var/log/setuid.yesterday. If I am way off my rocker, or somebody sees an obvious way to improve the method, please let me know. I realized this should be submitted when I got a report of the mod being us= ed to detect a rooted box... The .diff is against -current, but should apply to -stable as well... Thanks, and keep up all the wonderful work! visigoth --=20 Damieon Stark, CCSE Unix/Network Security Engineer currently seeking employment ___________________________________________________________________________= ___ Damieon Stark | Microsoft: Where do you want to go today? e: visigoth@securitycentric.com | Linux: Where do you want to go tommorow? p: 612.382.6945 | FreeBSD/Sun: Are you guys coming or what? pgp: 0xBE5D0C57 | http://www.sun.com/solaris - The . in .com pgp.mit.edu | http://www.freebsd.org - The power to serve! ---------------------------------------------------------------------------= --- I'll see your DMCA and raise you a First Amendment. http://www.anti-dmca.org ---------------------------------------------------------------------------= --- --98e8jtXdkpgskNou Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="security.diff" Content-Transfer-Encoding: quoted-printable --- security.old Sun Sep 2 19:07:07 2001 +++ security Sun Sep 2 19:59:29 2001 @@ -94,6 +94,27 @@ mv ${TMP} ${LOG}/setuid.today || rc=3D3 fi =20 +# Show any files in /dev which are not charactor, block +# device entries, or symlinks. + +find /dev -type f -or -type s -or -type p | xargs ls -al > ${TMP} + +if [ ! -f ${LOG}/devfiles.today ]; then + separator + echo "No ${LOG}/devfiles.today" + cp ${TMP} ${LOG}/devfiles.today || rc=3D3 +fi + +if ! cmp ${LOG}/devfiles.today ${TMP} >/dev/null; then + [ $rc -lt 1 ] && rc=3D1 + separator + echo "Checking for changes to non-device files in dev:" + diff -w ${LOG}/devfiles.today ${TMP} + mv ${LOG}/devfiles.today ${LOG}/devfiles.yesterday || rc=3D3 + mv ${TMP} ${LOG}/devfiles.today || rc=3D3 +fi + + # Show changes in the way filesystems are mounted # [ -n "$ignore" ] && cmd=3D"egrep -v ${ignore#|}" || cmd=3Dcat --98e8jtXdkpgskNou-- --V88s5gaDVPzZ0KCq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQEVAwUBO5a7uoA1oSe+XQxXAQFXOQf/Q35vi9mRTGF4pVVf2yJk1dcibNHOfJdc enJSWBZZsc+0mHTWLraFkmOfFrkde60cWIfpUlMz25biBC3fEv2M1ANRSZk/mA5h tZuwErYW3gvsbU1xuJJ2XhDAEn1/FN42Ao48XAsHUhpOTPK0cah4LOOKbtgJ2gDE VnktPT0WdfAPGdCYHV7OYe07afNfnOQ4QiyZf4ATXAcotL1engPi/sBLYMeGU+Vm 26HiyxI92LvVG0gpGbWXQSu7IQp6oU2pTlfI2p3ZQp/C1jqqITRImZCIakj5+CQQ XxlrzZIKzF0uTOkMWlSqbbnptOx37ZIKLTQkIRR4UKTHmMxBlaeWwQ== =K2eW -----END PGP SIGNATURE----- --V88s5gaDVPzZ0KCq-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message